"friend"/user can still access my PMS and watch content after being deleted?!

@kegobeer-plex ,

Look, i’m not going to get into an argument with you…but all you’ve done here is provide “work-arounds” Like, NO, I’m not going to remove DHCP from my router. I’m also not going to remove my custom certs and domain name (so that I can access the server when PLEX is down), and I’m definitely NOT going to move my webserver to a VM because PLEX can’t figure out authentication. Seriously? No.

It’s really not a complicated process:

1. User launches PLEX app ->
2. App authenticates with PLEX.tv (since user is remote) ->
3. server list is generated (this where my server would drop off his app since I removed him)
   a. If user has settings in the app for direct access and is on same LAN as PMS user is granted access.
   b. If user has settings in the app for direct access and is remote, user would obviously be denied access.

It boggles my mind that that PLEX “sold-out” their users to FB and Google under the excuse of “hardening” the auth process which can (and does) lead to server owners in a situation where they can’t access their own PMS on their own private LAN, but yet a remote user who isn’t on the friend access list can access a PMS?! THAT Sir, is the bottom line.

Cheers.

You don’t remove DHCP from your router. I don’t know where you thought I recommended doing that. Create a DHCP reservation for your playback clients so that they always get the same IP address, then put those IP address in the auth block. That is standard basic networking.

@kegobeer-plex said:
You don’t remove DHCP from your router. I don’t know where you thought I recommended doing that. Create a DHCP reservation for your playback clients so that they always get the same IP address, then put those IP address in the auth block. That is standard basic networking.

There should be NO NEED to make IP reservations so devices can play media from a local server. That’s basic networking.

This is fascinating stuff. Anymore?

@NewPlaza said:
This is fascinating stuff. Anymore?

I was thinking the same thing.

welp, this happened again today.

I had a good convo last week about this on the DISCORD channel and finally got a somewhat good suggestion to re-invite the deleted user, and then unshare my libraries. However, I just tried to do that and I get the error that he’s already my friend …but he’s not on my friend list, but he’s watching something as I’m doing this. WTF

How is this a thing?!

@seanvree81 said:

How is this a thing?!

Plain and simple … Plex is buggy as fck. Even the most simple functions don’t work reliable anymore these day, yet more complicated auth. Sad truth.

@seanvree81 said:
I had a good convo last week about this on the DISCORD channel and finally got a somewhat good suggestion to re-invite the deleted user, and then unshare my libraries.

This was actually my first thought when I started reading this post. Removing the libraries before removing the user.

I understand you have a unique setup, but one would hope the architecture of Plex would be such that this couldn’t happen, based on the way you outlined it earlier. If external = Plex authenticates.

I run a stock Plex setup with recommended network settings. Do I now need to be concerned about deleting users as well, if I don’t remove their library access first?

@AmazingRando24 said:
I understand you have a unique setup, but one would hope the architecture of Plex would be such that this couldn’t happen, based on the way you outlined it earlier. If external = Plex authenticates.

Plex cannot know this is an external access, because OP is running a ‘Reverse Proxy’ on his network which makes all external accesses appear as if they come from within the local network.
And then the preference ‘List of IP addresses and networks that are allowed without auth’ exempts all hosts on the local network from the need to authenticate…

@seanvree81 said:

@kegobeer-plex said:
Since you have a url that gives access to your server, do you also have a reverse proxy set up? That would make any request appear to be local, and since you’ve given all your local IPs access without auth, your recently kicked friend still has access.

Remove the blanket access you’ve given to all the IPs on your local network, which should remove his access to your Plex server.

@kegobeer-plex .

Really appreciate your responses brotha.

Okay a bit confused now. Yes, I do have a reverse proxy set up, so that MAY be how he was accessing…which makes sense. I deleted my PlexPY data, so I can’t tell his IP address.

So, you previously said to remove the “LAN networks” so am I now removing “list of addresses and networks without auth”? So both of those blocks are empty? NOW, because of the new auth “restrictions”…if I remove the local subnet mask from the last box, that means that if PLEX ever goes down (or my WAN), I wouldn’t’ be able to auth, right, which would make my PMS inaccessible to ME?

Yes and No, more like sorta but not really.

You may not be able to connect via plex.tv if plex or your wan goes down, but as long as you are on the same local network (192.168.1.x) in your case, you can always directly access the server by the local server ip.

What I suspect is happening, since your ex-friend has your direct domain, it can connect via that domain port. With the reverse proxy, all connections appear local.

Just because he is still may be connecting as his plex user (instead of guest), but you have the List of IP addresses and networks that are allowed without auth populated, and all connections appear local, then voila anyone with a plex account can access your server, as long their client knows or knew your server domain url.

If you want to test this theory, you can PM me your domain/port, without adding me as a plex friend and I will see if can connect to your pms.

Otherwise, you should remove all entries from the access without auth list (or disable/change reverse proxy server).

because the reverse proxy ip is the same as the PMS ip, all access coming in through the proxy ip is white listed by your settings.

If you don’t want to change your settings then Blacklist/Filter your X friend WAN address in your Modem. Then there is no incoming access. You will need to restart your modem, Duh…

@SE56 said:
If you don’t want to change your settings then Blacklist/Filter your X friend WAN address in your Modem. Then there is no incoming access. You will need to restart your modem, Duh…

this assumes 1) you know what the friends ip is, and 2) that it doesn’t change.

but still a good idea.

You could also probably block it at the reverse proxy level instead of the router.

Well correct, but it’s not hard to track incoming IP addresses and set up an alert to email box. As for changing most average users have a dynamic address issued by their ISP, but a lot have a Static IP when using PLEX

Then again there are methods of finding all IP ranges belonging to a specific ISP, Google have the answer. The same would be with VPN services.

@OttoKerner said:

@AmazingRando24 said:
I understand you have a unique setup, but one would hope the architecture of Plex would be such that this couldn’t happen, based on the way you outlined it earlier. If external = Plex authenticates.

Plex cannot know this is an external access, because OP is running a ‘Reverse Proxy’ on his network which makes all external accesses appear as if they come from within the local network.
And then the preference ‘List of IP addresses and networks that are allowed without auth’ exempts all hosts on the local network from the need to authenticate…

Just FYI, the user is NOT connecting via reverse proxy. His IP address is being logged as external in PlexPY. Also, since I posted the OP I removed the local no-auth option.

I tested this with another user today as well. I added him, had him watch some stuff. Then deleted him, and rebooted the PMS, He was NOT able to watch anything, nor did my server even show up on his server list.

Also, I used a DB explorer to look at the tables inside the PLEX db, and saw two instances of his username. I removed them. I have no way of testing if this worked, but I SUSPECT that was the issue.

Again, the reverse proxy is NOT the issue here. This is a PLEX authentication problem.

@SE56 said:
If you don’t want to change your settings then Blacklist/Filter your X friend WAN address in your Modem. Then there is no incoming access. You will need to restart your modem, Duh…

LOL, soooo, eventhough this is a rediculous work-around. What if he’s on a mobile network? How the hell do I know his IP address? NO.

@seanvree81 said:
I tested this with another user today as well. I added him, had him watch some stuff. Then deleted him, and rebooted the PMS, He was NOT able to watch anything, nor did my server even show up on his server list.

Then how is the other person doing it? Could they be using your credentials(your login info). At this point I would change my password for plex(and de-auth all clients). I mean, what will it hurt. A little bit of time…

@NewPlaza said:

@seanvree81 said:
I tested this with another user today as well. I added him, had him watch some stuff. Then deleted him, and rebooted the PMS, He was NOT able to watch anything, nor did my server even show up on his server list.

Then how is the other person doing it? Could they be using your credentials(your login info). At this point I would change my password for plex(and de-auth all clients). I mean, what will it hurt. A little bit of time…

Dude, you got me man. That’s why I started this thread. I’m no noob. I’m sysadmin by trade, and have worked at Microsoft in IIS (managing large companies webservers)

No, he’s not using my creds, HIS account shows up when he’s watching stuff.

LOL, this is becoming a ridicule of common sense. So many exceptions to a solution. I believe you need to decide your path to a solution that best suits now. There have been plenty solutions but to many excuses or variables offered put forward.

Best solution, if possible change ISP if your account is at end of term. If not Cancel your Plex account and create a new account with different credentials, Full stop. This has become a real drain not to be smartarse, just get it done. It’s really not hard.

I think what the thread-owner tries to mention is

WHY ON EARTH ARE SO HEAVY MEASURES NECESSARY TO CIRCUMVENT A PLAIN AND SIMPLE AND STUPID AUTH BUG IN PLEX?!?!?!

a) Account got deleted. (Access should be restricted. PERIOD!)
b) Friend can still access Plex. Direct, not via reverse proxy (which BTW shouldn’t matter at all. If I close an account access to that account should be denied, no matter if it comes from external or internal. No matter if auth for internal IP adresses is switched off or not. A closed account has to be a closed account.)
c) In such a scenario … do you really think that changing the ISP or cancelling a Plex account is the right measure??? Seriously, if your house has a broken door, would you tear it down an build a new one!!!

My 2 cents … the forum here in general and this topic in particular have become a joke! Users are complaining about a bug and then they

• either are being ignored
• get told that it’s their fault
• get completely irrelevant advice
• get some attention until the topic quietly goes silent

From a user perspective this has become very frustrating

BTW, off-topic, my experience from yesterday evening:

• Switched on TV, Plex-HTPC comes out of sleep.
• UI Problem … only 1 or 4 users get displayed on the login-screen. Doesn’t matter. I used that user … system locks up. After about 2mins “Cannot connect to server”. This gives me the option to get to the “Exit/Reboot/Pause/…” screen.
• I exit. Restart PMP … now it works
• Browsing. I select a movie and start it.
• Right in the middle my wife shows up and asks me to replay the last scene … I press skip-back 2 or 3 times.
• System freezes. 3 blinking dots, black screen
• I get annoyed and exit the movie
• Restart the movie, still need to skip back. I press skip-back and pray … this time it works

Bottom line … Plex has become an annoyance. My wife is complaining, I’m annoyed and worst off all: it’s getting worse with every update.

@seanvree81 said:

@NewPlaza said:

@seanvree81 said:
I tested this with another user today as well. I added him, had him watch some stuff. Then deleted him, and rebooted the PMS, He was NOT able to watch anything, nor did my server even show up on his server list.

Then how is the other person doing it? Could they be using your credentials(your login info). At this point I would change my password for plex(and de-auth all clients). I mean, what will it hurt. A little bit of time…

Dude, you got me man. That’s why I started this thread. I’m no noob. I’m sysadmin by trade, and have worked at Microsoft in IIS (managing large companies webservers)

No, he’s not using my creds, HIS account shows up when he’s watching stuff.

If you are so good, and sysadmin by trade, why are you using a working host address as representation of a full /24 class network when allowing this network in plex, and not the network ID?.

Why even allow local lan? Its already allowed?. Why allow only 1.1?, any chance 1.1 might be your gateway?

So much weird stuff, and you act so aggressive